Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 64987 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SIP server on DMZ - how to set up working rules

MichalBorkowski

Hi.

I think I need assistance to understand fully the way how firewall and routing/forwarding is working in XG.


I have a question related to SIP server in DMZ.

So - to describe:

I have 3 ports: 1: WAN(bridge - public IP), 2: LAN (192.168.2.x) , 3:DMZ(192.168.100.x)

On DMZ I have SIP server - this server should be accessible for LAN users and internet users. It is not using 5060 as default port - so lets say for registrations it is using port 50808 (as example) - this is to limit access attempts.

I have set up some rules to that SIP server like:

Source: Host Any
Hosted Server: Zone Any, hosted address #Port1 

Protected Application Servers: Zone DMZ, Protected Application Server: created HOST pointing to 192.168.100.XXX address of the SIP server, forward all ports OFF

Port Forwarding: TCP, and defined ports - the same for mapped.(similar for UDP)

Routing MASQ ON

Reflexive Rule: ON


There are a few issues - I can register from LAN computers. Some connected to Internet (outside) can register (not all) - but in registration list I see internal IP of gateway 192.168.100.1 - (so it looks like they have registered from gateway - probably NAT) - normally I should see real IP of registered clients - and finally - if I use TRUNK to call I can hear IVR, but when I try to select number to call my internal number - no voice. So looks like voice is not passing.

To add - in rules I have created similar rules for ports 16384:32768 (UTP and TCP) used for final voice communication.

So question - how to configure XG to have this working? To have server behind firewall accessible? I had this working with CLEAR OS before - but as I want to switch to SOPHOS - I have to solve this ASAP - this server is used by me and my family as main communication platform.

Thanks for any suggestions

Mike....



This thread was automatically locked due to age.
Parents
  • 0

    So...

    I have decided to move the SIP server (FusionPBX container) temporary to datacenter to have the service working without interruptions - and to test this at home with different scenarios for sophos beta version. Just to see if there are changes in the future which can help.


    I hope I would find strict working solution and I would post this here. I think it could be useful for some people in the future.
    I did that kind of test in the pass for Asterisk and Elestix based servers - apparently not with SOPHOS - and I know that a lot of people would like to have tested and working solution. So far I didn't managed with XG firewall. I had that working with UTM9 - but sometimes there were issues - but in that case I think hardware related - as I was using old D525 router motherboard which was not so powerful.

    If somebody can provide tested solution for FreeSwitch with external trunks which are working on separate ports plus clients connecting from LAN to DMZ and Internet/WAN to DMZ - with full voice support - based on limitation that there is only one IP on the bridge - where SIP is not the only service to be forwarded and protected - please let me know.

    I'm fine to test this and to verify that all is working.

    Thanks for all suggestions. I like the SOPHOS XG functionality - and I see that as possible solution for some IT projects. As well as good solution for Home users. Today we all should be protected...


    Mike

Reply
  • 0

    So...

    I have decided to move the SIP server (FusionPBX container) temporary to datacenter to have the service working without interruptions - and to test this at home with different scenarios for sophos beta version. Just to see if there are changes in the future which can help.


    I hope I would find strict working solution and I would post this here. I think it could be useful for some people in the future.
    I did that kind of test in the pass for Asterisk and Elestix based servers - apparently not with SOPHOS - and I know that a lot of people would like to have tested and working solution. So far I didn't managed with XG firewall. I had that working with UTM9 - but sometimes there were issues - but in that case I think hardware related - as I was using old D525 router motherboard which was not so powerful.

    If somebody can provide tested solution for FreeSwitch with external trunks which are working on separate ports plus clients connecting from LAN to DMZ and Internet/WAN to DMZ - with full voice support - based on limitation that there is only one IP on the bridge - where SIP is not the only service to be forwarded and protected - please let me know.

    I'm fine to test this and to verify that all is working.

    Thanks for all suggestions. I like the SOPHOS XG functionality - and I see that as possible solution for some IT projects. As well as good solution for Home users. Today we all should be protected...


    Mike

Children
No Data